IIA EBusiness Audit Demystified

1
Conference Workshop
Continuous Auditing An Approach for Today
Univ. of Salford, 30 October 2009
Presented by Anton Bouwer www.acl.com
2
AGENDA

• The Phrase
• The Distinction
• Approach for Todays Requirements
• Summary

3
Definition of Continuous Auditing

• CONTINUOUS
• Never ends
• When cycle ends, next starts
• AUDITING.
• Access information
• Know business
• Verify info
• Express/Report

4
Definition of Continuous Auditing

• Can CA be possible without human interface?
• Are we disrespecting the auditor?
• Square peg, round hole?
• Diluting the concept audit?
• Legal issues? Ignore at own peril!

5

• The Distinction

• MONITOR/REPORT
• Monitoring Reporting checks every transaction
• One record at a time
• Type Control
• Implemented FOR management
• AUDIT
• Auditing is looking for verifying exceptions
• Independently
• Comparing each record against expected norms
• Audit efficiency more than 1 record at a time
• Type Audit compliance or substantive

6
What is the PROBLEM?

• The only way to get CA to the masses (auditors)
• Build bridge from todays audit program to the
  SciFi CA system. Dont start in 2010, start in
  2002.
• Ask auditors what they want verify result
  (Majority rules). Remember budget!
• Messing with age old principles
• Lets learn from the E-Bubble Y2K Euro
  conversion!!! How big a part did we play in this?
  How much did we cost commerce?

7
Approach to CA Development

• NOT Complex
• NOT Technical
• Audit approach result (NOT contol)
• Obtain top level buy-in top level sponsor
• One application at a time
• Get specialist assistance

8
Implementing Continuous Auditing

• Setting up the project
• Perform detailed risk analysis
• Link to risk measurement
• Anticipate exceptions develop specifications
• Plan access to data
• Plan the audit frequency and audit response

9
Implementing Continuous Auditing

• Develop and implement the continuous auditing
  application
• Test Acceptance
• Maintenance and redesign
• Post Implementation Review
• Regular auditing of the continuous auditing
  application

10
Pitfalls

• What to measure?
• Exceptions
• Trends on statistics ratios
• Difficult to get data access
• Auto update of audit database
• Top-level sponsor
• Slow death

11
Pitfalls

• Audit independence

12
Case Study

• Background
• Banking finance entity
• Strategic risk analysis identified reputational
  risk as very high due to impact
• Management expect auditor to review risk on more
  regular basis

13
Case Study

• Solution
• Measure (audit) risk
• Report on risk measurement
• Automate process
• Schedule future audits and reporting frequency

14
Risk Measurement
15
Develop Specifications
16
Technical Specifications
17
Efficient Data Access
18
Develop Application
19
Schedule Application
20
Real-time Notification
21
Audit Verification
22
Continuous Reporting
23
Automated data download
Automated audit
Continuous Audit Cycle
Report
Audit Verification
Automated scheduling
24
Summary

• Start at Risk Analysis
• Do not forget 8020
• Prove benefits ()
• Internal audit implement, external audit share
  benefits (Consulting opportunities - )
• Wonderful trends!!!
• Technical barriers are smallest problem
• Risk can not be measured, managed?

25
Thank You
www.acl.com anton_bouwer_at_acl.com